Ask who’s responsible for the security of a building’s camera and access control network, and you’ll usually get a pause, then a deflection. The integrator says they delivered what the contract specified. The IT department says they were handed a finished system they didn’t design and can’t fully see. The facilities team says it’s a security system, so surely security owns it. The security team means guards and policy, not subnets. Everyone is partly right, which is another way of saying nobody owns it.
That gap is the actual vulnerability. Not a specific unpatched camera, though there are plenty of those. The structural problem is that the network between the integrator and IT belongs to no one, and unowned infrastructure doesn’t get secured, monitored, or maintained.
Why this is a national-stakes problem, not a building problem
For a single office, an unowned camera network is a manageable risk. For the systems that run a country, it’s something else. State-linked intrusion campaigns spent the last few years getting quiet and patient inside critical infrastructure networks, living off the land, waiting. The Volt Typhoon and Salt Typhoon activity that surfaced is the clearest public example of the pattern: not smash-and-grab, but long, careful positioning inside the kinds of networks that keep water moving and power flowing.
Physical security systems are an ideal way in. They’re networked, they’re numerous, they’re rarely segmented well, they’re patched late if at all, and they sit inside facilities that matter. A camera fleet on a flat network at a utility is not a facilities problem. It’s an attack surface on critical infrastructure, and the reason it stays open is governance, not technology.
You can’t buy your way out of a responsibility gap
The instinct is to reach for a product. A new firewall, a monitoring tool, a network access control appliance. Tools help, but they don’t decide who’s accountable, and accountability is the thing that’s missing. A monitoring platform that nobody owns generates alerts that nobody reads.
What closes the gap is a decision. Someone has to own the security of the physical security network, end to end, with the authority and the budget that go with it. That ownership has to be named before the next system gets installed, not discovered during the incident review after it’s breached.
What ownership actually looks like
It’s unglamorous, which is part of why it gets skipped. A named owner for the security estate’s network posture. A requirement that integrators meet a security standard as a condition of acceptance, not a nice-to-have. Segmentation and monitoring that someone is responsible for maintaining. And documentation good enough that the IT team inheriting the system knows what they have. None of that is a product you can purchase. All of it is a choice an organization can make.
The organizations that get this right treat the network under their physical security the way they treat any other production network, because that’s what it is. The ones that don’t are leaving a door open in a building that can’t afford an open door, and calling it someone else’s job.
If you’re trying to figure out who owns this in your organization, or you’ve realized the answer is no one, that’s the conversation I have with leadership.
Hans Study is an independent security advisor and fractional CISO in Ontario, Canada. He has spent 2 decades on critical infrastructure, defence, and public safety networks.